Cube.COS - Release Note
Abstract
Bigstack CUBE.COS 2.4 is a major release for CUBE.COS cloud operating system. This release provides the following updates to Bigstack CUBE.COS version 2.4:
- Based on CentOS Stream 9
- Kernel version : 5.14.0-435
- Nova version : 25.3.0 (Yoga)
- Ovn version : 23.03
- Ceph version : 17.2.6 (Quincy)
- Rancher version : v2.7.9
- Nvidia GPU driver to 535.104
New functionality
- Cloud Computing
- Added support of VFIO and GPU Passthrough
- Centralized GPU management across GPU nodes
- Added support of GPU / PCI devices auto orchestration
- Added CLI option to reset instance status for recovery
- Storage
- Volume Mirror
- Enhanced mirror management in a single view
- Added support of journal or snapshot for each mirror rule
- Added support of instance creation from target volume in backup site
- Enhanced virtual machine power state aligned with mirror promotion/demotion process
- Object Storage - CLI options to manage bucket quota and IP filters
- Volume Mirror
- Networking and Network Security
- Added CLI option to fix errors on loadbalancer-as-a-service
- Operation and Management
- New CLI options
- to update license by node
- to update license from ISO image
- to check and repair filesystem on instances
- to detect conflicts with IP addresses in the environment
- Benchmark tools for
- Hard drives
- Storage pools
- Added alert management for threshold adjustment
- Global settings for all alerts
- Individual setting for specific service
- Added support of
- hard drive model and serial number detection
- disk failure prediction
- cluster check on disk failure (new error code)
- New CLI options
Changed features
- There is no changed feature in this release.
Fixed defects
- Bug Fixes since Cube 2.3.0, including fixpacks and hotfixes.
Fixpacks
Enhancements and fixes in Cube 2.4
- Patched Security Updates
- Information disclosure flaw found in ansible-core (CVE-2024-0690)
- A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record (CVE-2023-38469)
- A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function (CVE-2023-38471)
- A reachable assertion exists in the avahi_rdata_parse() function (CVE-2023-38472)
- A reachable assertion exists in the avahi_escape_label() function (CVE-2023-38470)
- A reachable assertion exists in the avahi_alternative_host_name() function (CVE-2023-38473)
- This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash (CVE-2023-1981)
- BIND9 bad allocation of resources that can affect the available memory of the system (CVE-2023-2828)
- Prevent possible endless loop when refreshing stale data (CVE-2023-2911)
- BIND9 limit the amount of recursion possible in the control channel (CVE-2023-3341)
- AutoTools does not set CARES_RANDOM_FILE during cross compilation (CVE-2023-31124)
- Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
- Insufficient randomness in the generation of DNS query IDs (CVE-2023-31147)
- 0-byte UDP payload Denial of Service (CVE-2023-32067)
- Exposure of resource to wrong sphere in runc (CVE-2024-21626)
- Improper Preservation of Permissions in runc (CVE-2023-25809)
- Use of Incorrectly-Resolved Name or Reference in runc (CVE-2023-27561)
- Improper Link Resolution Before File Access ('Link Following') in runc (CVE-2023-28642)
- Allocation of Resources Without Limits or Throttling in containerd (CVE-2023-25153)
- CVE-2023-25173
- Information leak through Cups-Get-Document operation (CVE-2023-32360)
- Use-after-free in scheduler/client.c (CVE-2023-34241)
- Heap buffer overflow may lead to DoS (CVE-2023-32324)
- Return error if the hostname is too long for remote resolve (CVE-2023-38545)
- Cookie injection with none file (CVE-2023-38546)
- Lowercase the domain names before PSL checks (CVE-2023-46218)
- Unify the upload/method handling (CVE-2023-28322)
- Hostname wildcard checking (CVE-2023-28321)
- FTP too eager connection reuse (CVE-2023-27535)
- SSH connection is too eager to reuse (CVE-2023-27538)
- GSS delegation too eager connection re-use (CVE-2023-27536)
- SFTP path resolving discrepancy (CVE-2023-27534)
- TELNET option IAC injection (CVE-2023-27533)
- HTTP multi-header compression denial of service (CVE-2023-23916)
- D-Bus unprivileged user to crash dbus-daemon issue (CVE-2023-34969)
- Limited offered EDNS0 size 1232 (CVE-2023-28450)
- Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message (CVE-2023-45229)
- Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)
- Out of Bounds read when handling an ND Redirect message with truncated options (CVE-2023-45231)
- Infinite loop when parsing unknown options in the Destination Options header (CVE-2023-45232)
- Infinite loop when parsing a PadN option in the Destination Options header (CVE-2023-45233)
- Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)
- Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)
- Openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
- Openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)
- Sensitive information disclosure due to improper HTTP body handling in urllib3 (CVE-2023-45803)
- PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack (CVE-2023-52323)
- Possible arbitrary HTML attribute injection leading to Cross-Site Scripting (XSS) in Jinja (CVE-2024-22195)
- Possible information leakage due to HTTP redirects when custom cookie headers are set in urllib3 (CVE-2023-43804)
- Removing insecure root certificate authority (CVE-2023-37920)
- The httpd-2.4.62-1.el9.x86_64 package now includes critical security enhancements, specifically addressing the recently identified vulnerability (CVE-2023-43622)
OpenStack Services
Web Frontend
- Horizon (Dashboard)
Share Services
- Keystone (Identity)
- Glance (Image)
- Barbican (Key Store)
Compute
- Nova (Virtual Machine)
- Ironic (Bare-metal)
Accelerator
- Cyborg (GPU, FPGA, ASIC, NP, SoCs, NVMe/NOF SSDs, ODP, DPDK/SPDK and so on)
Networking
- Neutron (SDN/NFV, VPN as a Service)
- Octavia (Load Balance as a Service)
- Designate (DNS as a Service)
Storage
- Cinder (Block Storage)
- Manila (File Storage)
- Swift (Object Storage)
Orchestration
- Heat (Orchestration)
- Senlin (Auto-scaling)
Monitoring
- Monasca (Telemetry)
High Availability
- Masakari (Instance HA)
Resource Optimaztion
- Watcher (Infrastructure Optimization)
Cube Infrascope
- ELK
Elasticsearch (v7.10)Opensearch (v2.10)Kibana (v7.10)Opensearch-dashboards (v2.10)- Logstash (v8.9.0)
- Filebeat (v8.10.2)
- Auditbeat (v8.10.2)
- TIGK
- Telegraf (v1.17)
- Influxdb (v1.8.10)
Grafana (v7.5.9)Grafana-enterprise (v10.1.5)- Kapacitor (v1.5.7)
- Data Pipeline
- Zookeeper (v2.13)
- Monasca (v2.5.0)
- Kafka (v2.7)
Identity
- Keycloak (v17.0.1)
Announcements
The Bigstack CUBE.COS cloud operating system version 2.4 is generally available in May, 2024.
Compatibilities
The following Cube related products are currently supported by Cube 2.4 and can only be run against Cube 2.4 or above.
- CUBE.CMP 1.7
- Prerequisites: Cube 2.4 with AppFramework deployed
- CUBE.VDI Driver and integration
- Prerequisites: Cube 2.4 and Cube VDI essentials
Contact Bigstack: https://www.bigstack.co/contact/ for details of Cube products.
Installation and Configuration
For CUBE.COS installation, see the following topics in Bigstack documentation.
To get started with CUBE.COS, see Quick Start in Bigstack documentation.
Known issues
After enable OTP login, Keycloak page show nothing.
Related information
Bigstack Co., Ltd. is a software and consulting company, focused on open source, software-defined data center, cloud platforms, and security.
Contact Bigstack: https://www.bigstack.co/contact/